'use strict'; module.exports.create = function (deps, config) { console.log('config', config); //var PromiseA = global.Promise; var PromiseA = require('bluebird'); var listeners = require('./servers').listeners; var domainUtils = require('./domain-utils'); var modules; var addrProperties = [ 'remoteAddress' , 'remotePort' , 'remoteFamily' , 'localAddress' , 'localPort' , 'localFamily' ]; function nameMatchesDomains(name, domainList) { return domainList.some(function (pattern) { return domainUtils.match(pattern, name); }); } function loadModules() { modules = {}; modules.tls = require('./modules/tls').create(deps, config, tcpHandler); modules.http = require('./modules/http').create(deps, config, modules.tls.middleware); } function checkTcpProxy(conn, opts) { var proxied = false; // TCP Proxying (ie forwarding based on domain name not incoming port) only works for // TLS wrapped connections, so if the opts don't give us a servername or don't tell us // this is the decrypted side of a TLS connection we can't handle it here. if (!opts.servername || !opts.encrypted) { return proxied; } function proxy(mod) { // First thing we need to add to the connection options is where to proxy the connection to var newConnOpts = domainUtils.separatePort(mod.address || ''); newConnOpts.port = newConnOpts.port || mod.port; newConnOpts.host = newConnOpts.host || mod.host || 'localhost'; // Then we add all of the connection address information. We need to prefix all of the // properties with '_' so we can provide the information to any connection `createConnection` // implementation but not have the default implementation try to bind the same local port. addrProperties.forEach(function (name) { newConnOpts['_' + name] = opts[name] || opts['_'+name] || conn[name] || conn['_'+name]; }); deps.proxy(conn, newConnOpts); return true; } proxied = config.domains.some(function (dom) { if (!dom.modules || !Array.isArray(dom.modules.tcp)) { return false; } if (!nameMatchesDomains(opts.servername, dom.names)) { return false; } return dom.modules.tcp.some(function (mod) { if (mod.type !== 'proxy') { return false; } return proxy(mod); }); }); proxied = proxied || config.tcp.modules.some(function (mod) { if (mod.type !== 'proxy') { return false; } if (!nameMatchesDomains(opts.servername, mod.domains)) { return false; } return proxy(mod); }); return proxied; } // opts = { servername, encrypted, peek, data, remoteAddress, remotePort } function peek(conn, firstChunk, opts) { if (!modules) { loadModules(); } opts.firstChunk = firstChunk; conn.__opts = opts; // TODO port/service-based routing can do here // TLS byte 1 is handshake and byte 6 is client hello if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) { modules.tls.emit('connection', conn); return; } // This doesn't work with TLS, but now that we know this isn't a TLS connection we can // unshift the first chunk back onto the connection for future use. The unshift should // happen after any listeners are attached to it but before any new data comes in. if (!opts.hyperPeek) { process.nextTick(function () { conn.unshift(firstChunk); }); } // Connection is not TLS, check for HTTP next. if (firstChunk[0] > 32 && firstChunk[0] < 127) { var firstStr = firstChunk.toString(); if (/HTTP\//i.test(firstStr)) { modules.http.emit('connection', conn); return; } } console.warn('failed to identify protocol from first chunk', firstChunk); conn.destroy(); } function tcpHandler(conn, opts) { function getProp(name) { return opts[name] || opts['_'+name] || conn[name] || conn['_'+name]; } opts = opts || {}; var logName = getProp('remoteAddress') + ':' + getProp('remotePort') + ' -> ' + getProp('localAddress') + ':' + getProp('localPort'); console.log('[tcpHandler]', logName, 'connection started - encrypted: ' + (opts.encrypted || false)); var start = Date.now(); conn.on('timeout', function () { console.log('[tcpHandler]', logName, 'connection timed out', (Date.now()-start)/1000); }); conn.on('end', function () { console.log('[tcpHandler]', logName, 'connection ended', (Date.now()-start)/1000); }); conn.on('close', function () { console.log('[tcpHandler]', logName, 'connection closed', (Date.now()-start)/1000); }); if (checkTcpProxy(conn, opts)) { return; } // XXX PEEK COMMENT XXX // TODO we can have our cake and eat it too // we can skip the need to wrap the TLS connection twice // because we've already peeked at the data, // but this needs to be handled better before we enable that // (because it creates new edge cases) if (opts.hyperPeek) { console.log('hyperpeek'); peek(conn, opts.firstChunk, opts); return; } function onError(err) { console.error('[error] socket errored peeking -', err); conn.destroy(); } conn.once('error', onError); conn.once('data', function (chunk) { conn.removeListener('error', onError); peek(conn, chunk, opts); }); } function udpHandler(port, msg) { if (!Array.isArray(config.udp.modules)) { return; } var socket = require('dgram').createSocket('udp4'); config.udp.modules.forEach(function (mod) { if (mod.type !== 'forward') { console.warn('found bad DNS module', mod); return; } if (mod.ports.indexOf(port) < 0) { return; } var dest = require('./domain-utils').separatePort(mod.address || ''); dest.port = dest.port || mod.port; dest.host = dest.host || mod.host || 'localhost'; socket.send(msg, dest.port, dest.host); }); } function createTcpForwarder(mod) { var dest = require('./domain-utils').separatePort(mod.address || ''); dest.port = dest.port || mod.port; dest.host = dest.host || mod.host || 'localhost'; return function (conn) { var newConnOpts = {}; addrProperties.forEach(function (name) { newConnOpts['_'+name] = conn[name]; }); deps.proxy(conn, Object.assign(newConnOpts, dest)); }; } deps.tunnel = deps.tunnel || {}; deps.tunnel.net = { createConnection: function (opts, cb) { console.log('[gl.tunnel] creating connection'); // here "reader" means the socket that looks like the connection being accepted // here "writer" means the remote-looking part of the socket that driving the connection var writer; var wrapOpts = {}; function usePair(err, reader) { if (err) { process.nextTick(function () { writer.emit('error', err); }); return; } // this has the normal net/tcp stuff plus our custom stuff // opts = { address, port, // hostname, servername, tls, encrypted, data, localAddress, localPort, remoteAddress, remotePort, remoteFamily } Object.keys(opts).forEach(function (key) { wrapOpts[key] = opts[key]; try { reader[key] = opts[key]; } catch(e) { // can't set real socket getters, like remoteAddr } }); // A few more extra specialty options wrapOpts.localAddress = wrapOpts.localAddress || '127.0.0.2'; // TODO use the tunnel's external address wrapOpts.localPort = wrapOpts.localPort || 'tunnel-0'; try { reader._remoteAddress = wrapOpts.remoteAddress; reader._remotePort = wrapOpts.remotePort; reader._remoteFamily = wrapOpts.remoteFamily; reader._localAddress = wrapOpts.localAddress; reader._localPort = wrapOpts.localPort; reader._localFamily = wrapOpts.localFamily; } catch(e) { } tcpHandler(reader, wrapOpts); process.nextTick(function () { // this cb will cause the stream to emit its (actually) first data event // (even though it already gave a peek into that first data chunk) console.log('[tunnel] callback, data should begin to flow'); cb(); }); } wrapOpts.firstChunk = opts.data; wrapOpts.hyperPeek = !!opts.data; // We used to use `stream-pair` for non-tls connections, but there are places // that require properties/functions to be present on the socket that aren't // present on a JSStream so it caused problems. writer = require('socket-pair').create(usePair); return writer; } }; deps.tunnelClients = require('./tunnel-client-manager').create(deps, config); deps.tunnelServer = require('./tunnel-server-manager').create(deps, config); var listenPromises = []; var tcpPortMap = {}; config.tcp.bind.filter(Number).forEach(function (port) { tcpPortMap[port] = true; }); (config.tcp.modules || []).forEach(function (mod) { if (mod.type === 'forward') { var forwarder = createTcpForwarder(mod); mod.ports.forEach(function (port) { if (!tcpPortMap[port]) { console.log("forwarding port", port, "that wasn't specified in bind"); } else { delete tcpPortMap[port]; } listenPromises.push(listeners.tcp.add(port, forwarder)); }); } else if (mod.type !== 'proxy') { console.warn('unknown TCP module specified', mod); } }); var portList = Object.keys(tcpPortMap).map(Number).sort(); portList.forEach(function (port) { listenPromises.push(listeners.tcp.add(port, tcpHandler)); }); if (config.udp.bind) { config.udp.bind.forEach(function (port) { listenPromises.push(listeners.udp.add(port, udpHandler.bind(port))); }); } if (!config.mdns.disabled) { require('./mdns').start(deps, config, portList[0]); } return PromiseA.all(listenPromises); };